CloudSploit

Configuring Event Routings

Modified on: Sun, 5 Mar, 2017 at 2:47 PM

Event Routings are like alerts for your AWS events. Want to get a Slack notification every time someone logs into your AWS account? Want to email the security team immediately if CloudTrail logging gets disabled? You can with CloudSploit Event Routings.

To configure a routing, you first need an integration - a third-party connection to CloudSploit. See the first part of this help article if you need help configuring integrations.

Once you have some integrations, you can begin setting up routings.

Navigate to the Event Routings page.

Under "Setup New Routing," select the account the routing should apply to.

Select an integration from the list. This is where your event will be sent.

Next, select actions that should trigger this routing. You can use the wildcard to indicate any event (although to avoid rate limiting, we do not recommend this). You can select multiple options from the list. For example, "ec2:AuthorizeSecurityGroupIngress" and "ec2:AuthorizeSecurityGroupEgress" would alert your integration if either event was matched.

Select a result severity. Selecting "FAIL" will only trigger the routing if CloudSploit determines the security event impact to be significant. "WARN" will trigger on either "WARN" or "FAIL" results.